-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathgetKeys-v3.py
152 lines (132 loc) · 5.09 KB
/
getKeys-v3.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
#!/usr/bin/env python3
# Orginally written in PowerShell by Brian Holiday
# Modified and re-written (aka mangled) in Python by Christopher van de Sande
# Requires Python 3.x, Requests module and awscli (pip3 install requests awscli)
# V2 -- 26.08.2017 -- Re-written to support multiple threads cross platform
# V3 -- 21.11.2018 -- Cloudgateway was returning no values, so keep hitting it
# with a while loop until it bleeds
# This script supports username and paswword as arguments, otherwise it detects
# or simply prompts the user for what it needs
# format is 'getCreds.py DOMAIN Username Password'
# e.g getCreds.py EUROPE cvandesande MyPassWord
#
import getpass
import multiprocessing.pool
import os
import platform
import requests
import sys
# Main variables set these as you see fit
accToPull = 'Ops'
rolesUrl = 'https://cloudgateway.pgi.com/api/aws/roles'
sessionsUrl = 'https://cloudgateway.pgi.com/api/aws/sessions'
hours = '36' # Max is 36
reason = 'Daily backup of keys'
setKeyCmd = 'aws configure set aws_access_key_id '
setSecretCmd = 'aws configure set aws_secret_access_key '
headers = {'CloudGateway-Username': '',\
'CloudGateway-Password': '',\
'Accept': 'application/vnd.cloudgateway.v1+json',\
'Content-Type': 'application/json'}
sys.tracebacklimit = None # Reduces ugliness of errors
# Check for awscli installation
def awsCheck():
print('Checking for existence of awscli...')
awsVersion = os.system('aws --version')
print()
if not awsVersion == 0:
raise ValueError('Error running aws, make sure you have awscli installed')
# Fancy function to gather user credentials
def userCreds():
if len(sys.argv) == 4:
userName = sys.argv[1] + '\\' + sys.argv[2]
passWd = sys.argv[3]
elif platform.system() == 'Windows':
print('Please type your DOMAIN\\Username or enter to use logged in user')
userName = os.environ['userdomain'] + '\\' + getpass.getuser()
userName = input('Username ' + '[' + userName + ']: ') or userName
passWd = getpass.getpass(prompt='Enter password: ', stream=None)
else:
print()
userName = input('Please type your DOMAIN\\UserName: ')
passWd = getpass.getpass(prompt='Enter password: ', stream=None)
uCreds = (userName, passWd)
return uCreds
# Update headers with user credentials
def setHeaders(user, password):
global headers
headers['CloudGateway-Username'] = user
headers['CloudGateway-Password'] = password
# Fetch list of roles from CG
def getRoles():
try:
roles = requests.get(rolesUrl, headers=headers).json()
except requests.exceptions.Timeout as tmo:
print('Timeout connecting to Cloud Gateway')
except requests.exceptions.ConnectionError:
print('Error during connection attempt, check rolesUrl')
except requests.exceptions.TooManyRedirects:
print('Too many redirects, check rolesUrl')
except requests.exceptions.RequestException as e:
print(e)
if 'Authentication failure' in roles['errors']:
raise ValueError('Invalid username or password')
return roles
# Function to retrieve aws credentials (slow)
def reqCreds(account):
awsCreds = {}
body = {'duration_hours': hours, 'role_id': account, 'reason': reason}
try:
r = requests.post(sessionsUrl, headers=headers, json=body).json()
except requests.exceptions.Timeout:
print('Timeout connecting to Cloud Gateway')
except requests.exceptions.ConnectionError:
print('Error during connection attempt, check sessionsUrl')
except requests.exceptions.TooManyRedirects:
print('Too many redirects, check sessionsUrl')
except requests.exceptions.RequestException as e:
print(e)
awsCreds[account] = r['session']['credentials']
while awsCreds.get(account) is None:
print('Got nothing from ' + account + ' Retrying...')
r = requests.post(sessionsUrl, headers=headers, json=body).json()
awsCreds[account] = r['session']['credentials']
print('\033[92m'\
+ 'Successfully retrieved '\
+ accToPull\
+ ' keys for '\
+ str(account)\
+ '\x1b[0m')
return awsCreds
# Run aws configure for account, key, secret
def setCreds(account, key, secret):
os.system(setKeyCmd\
+ str(key)\
+ ' --profile '\
+ str(account))
os.system(setSecretCmd\
+ str(secret)\
+ ' --profile '\
+ str(account))
# Main function, calls other functions, sorts values for next call
def main():
awsCheck()
uCreds = userCreds()
setHeaders(uCreds[0], uCreds[1])
print('Connecting to CloudGateway as ' + uCreds[0] + ' please stand by...')
roles = getRoles()
accounts = [i['id'] for i in roles['roles'] if accToPull in i['name']] # Yay Python list compression
if len(accounts) == 0:
raise ValueError('Could not find any accounts matching ' + '"' + accToPull + '"')
pool = multiprocessing.pool.ThreadPool(len(accounts)) # Initialize x threads. 1 per account, might be dangerous
awsCredList = pool.map(reqCreds, accounts)
pool.close()
pool.join()
# Back to single threaded mode to configure awscli serially
for d in awsCredList:
for id in d:
setCreds(id, d[id]['access_key_id'], d[id]['secret_access_key'])
print(str(len(accounts)) + ' aws profiles configured')
# Start the show
if __name__ == '__main__':
main()